The New Threat: Attackers That Target Healthcare Organizations (And what you can do about it)

White paper The New Threat: Attackers That Target Healthcare
Organizations (And what you can do about it) Abstract Healthcare organizations (HCOs) are facing a new threat. They're being targeted by financially motivated attackers that steal and sell valuable data -- including identities -- and computing resources. Armed with sophisticated tools, attackers exploit countless software vulnerabilities that exist in the multitude of systems a provider relies upon, including web-based applications such EHR/EMR systems. The consequences of an attack can include reductions in quality of care, service disruptions, reduced revenues, higher operating costs, and regulatory fines. Current security approaches, including network or perimeter defenses, do not adequately protect against the new threat, and can be bypassed. It is imperative that healthcare organizations conduct a vulnerability assessment of their critical applications, and evaluate intrusion prevention as a key compensating control to mitigate the growing risk.
, Table of Contents
1. Introduction ...................................................................................................................................1 2. The New Threat............................................................................................................................1 3. Applications - The Heart of Your Healthcare Facility...................................................................3 4. Why Are Applications Vulnerable? ...............................................................................................4 5. The Consequences of an Attack ..................................................................................................4 6. Current Security Approaches Are Not Adequate..........................................................................6 7. Steps You Can Take To Reduce Your Risk .................................................................................7 8. Intrusion Prevention-Your Best, Last Line of Defense...............................................................8
1. Introduction It's a typically busy morning at the hospital, with all operating rooms booked to capacity. Down in the ER, doctors are treating a steady stream of emergencies. Over in radiology, several patients are being prepped for MRIs. But at 8:35am, the day's steady rhythm is shattered. Something's wrong. The operating room doors won't open. Shortly after, the nurses in the ICU can't log onto the computers. At 9:05, pagers stop working. And by 11am, the MRI machine has crashed, leaving a waiting room of frustrated, anxious patients. Meanwhile, a thousand miles away, a middle-aged man sits alone at his PC, and smiles to himself, as the wreckage unfolds. A few keystrokes later and he's into the database of the hospital's EHR/EMR system, calmly extracting valuable data from thousands of patients that he'll quickly sell for a tidy profit. Another Hollywood thriller, set in the distant future? Unfortunately not. Although this perfect storm of events is unlikely to occur in a single morning, this is the reality that healthcare providers operate in today. Healthcare organizations are being targeted by attackers.
2. The New Threat Until recently, attention-seeking hackers were the main IT security threat to businesses, including healthcare organizations. They would write code, unleash it into cyberspace, and hope for their 15 minutes of fame. These types of mass attacks often had no particular target in mind; they would simply seek out vulnerabilities in a system-typically in operating systems and networks-and exploit them. But that was when hackers and their motives were less dangerous. Recently though, security intelligence experts have detected "the tell-tale signs of organized crime gangs and government espionage in attacks, and a hacker community much more motivated by financial gain than
© 2006, Third Brigade, Inc 1 www.thirdbrigade.com personal or political fulfillment." (Forrester, "Increasing Organized Crime Involvement Means More Targeted Attacks", August 2, 2005) Hackers have now become attackers who target particular organizations or groups or users. Motivated by money, revenge, and perhaps in the future by terror, they take control of computing devices to steal identities and confidential data that can then be sold, to use for illegal purposes like sending spa... [download for more]